Skip to content
Contact

BlogBest Practices

Is Unmanaged Third-Party Risk Causing Dysfunction in Your Organization?

By Michael Volkov (updated ) tagged due diligence , compliance , third-party risk management

Running a business in today’s hyper-connected, interdependent world means being dependent upon relationships between third-party suppliers, vendors, resellers, and partners.  Unfortunately, risks are introduced with every third-party relationship and tend to spiral out accordingly.  Even partners' business practices in your organization’s supply chain can have direct and lasting consequences on your organization financially, legally, reputationally, and strategically.  As such, effective third-party risk management (“TPRM”) likely means the difference between your organization’s success and its failure.

Among other issues, third-party actions can create significant liability for your organization for corruption, fraud, financial crimes such as money laundering, sanctions violations, unethical practices including employment and human rights violations, or actions causing environmental harm.  Third-party misconduct can expose your organization to liability under US and non-US laws, and/or damage your ability to conduct business in certain jurisdictions.  Furthermore, non-reputational risks, such as financial instability, can affect a vendor’s ability to deliver parts and services.  A visit from a regulatory body can close a facility.  A negative regulatory finding or ethics investigation can distract management and have potential ramifications for your business.   Unmanaged third-party risk can cause irreversible damage to an organization, exposing companies to financial loss, non-compliance, regulatory action, litigation, loss of customers and clients, and reputational damage.  

Additionally, cybersecurity and related supply chain vulnerability remain a key risk, given the shifts to remote work, digital transformation, online customer engagement, and the growing sophistication of cyber attackers.  Impacts on an organization can range from a reduction in service levels leading to customer dissatisfaction to the theft of intellectual property or the breakdown of critical business processes and lack of business continuity.  In a recent study by Ponemon Institute, 49% of respondents reported having experienced a data breach or cyberattack caused by a third party in 2022.  The average cost to US businesses: a whopping $9.44 million.  Reputational harm is one of the most severe repercussions of a data breach.  Even if the data breach was not your fault, the fact that your clients trusted you with their information and you let them down is all that matters.

The bottom line is that, if left unaddressed, any problems will cost more in the end than the proposed reform, through investigations and fines, increased reputational costs, inefficiencies, the distraction of management, and overall remediation.  A robust TPRM framework enables an organization to predict potential issues that might be caused down the line by doing business with a certain third party, and therefore puts that organization in the best position to avoid, or at least mitigate, those risks.  It can also help an organization eliminate fraud, abuse, and waste in third-party relationships.  TPRM is good business strategy.  In the long run, your organization will be more successful in the marketplace if it is regarded by its customers, regulators, and governmental investigators as a compliant company that conducts itself in an ethical manner.  In other words, revenues will increase as the company gains trust with its customers and the bottom line will improve through increased efficiencies accompanying an aligned TPRM process.

Determining and engaging key stakeholders early in the process can help your organization obtain the buy-in and support needed to bring about real change.  Furthermore, organizations that collaborate internally can drive down overall costs and streamline processes, while incorporating best practices, gaining greater agility in risk reduction, and improving communications with business partners.

How Much Visibility Does Your Organization’s Leadership Have in Third-Party Risk Assessment?

Massive enforcement actions focused on third parties have catapulted TPRM to a strategic consideration in boardrooms everywhere.  Leadership can no longer put their heads in the sand and refuse to acknowledge or understand the extent of the risks facing organizations today.  While it is ultimately the Board who is accountable for third parties and their issues, sound risk management, and compliance processes include involvement from key stakeholders, thus board-level involvement is critical for stakeholder buy-in.  One of the most important roles an organization’s leadership can play is setting a tone through consistent messaging stressing the importance of risk and compliance while offering rewards that incentivize compliance will serve to visibly support and reinforce that tone.  But leadership must go beyond merely talking the talk – they must walk the walk, teaching new behavior by example.

Board members are best positioned to define and guide the development of a corporate culture that considers the business goals and meets the needs of all stakeholders.  Aligning with senior leadership, the most critical risks facing the organization should be identified and means of addressing them set out.  In this way, the culture is sure to promote a clear risk philosophy to guide employees’ behaviors and decision-making.  Senior leadership must make sure both prioritize culture and provide the resources to ensure it and is ultimately responsible for enforcing the requirements stated in the policies and standards and driving accountability for key stakeholders.

It is critical for all internal stakeholders to understand their responsibilities when engaging a third party, the risks associated with doing business with an external party, and the consequences of not complying with the organization’s policies and standards to achieve effective TPRM execution; it should be the keystone of every employee’s role in the organization.  There also needs to be a process in place to report critical risks to leadership in a timely fashion.

Is Your Organization Setting the Right Tone from the Middle?

The manner in which the “tone from the top” is reinforced is often just as crucial to implementing change in corporate culture.   Middle managers should be engaged with strategy implementation partly because of their structural positions in managing resources, providing information to decision-makers, and communicating the strategic intent of top management throughout the organization.  They play a critical role in this process by coordinating activities at the operational level that implement top-level decisions, thereby aligning corporate culture with leadership’s goals and strategic ambitions.  As the stakeholders who wield the most influence on the largest number of employees’ day-to-day experiences, middle managers can and should be utilized when attempting to build a culture of compliance within an organization as they enable organizational change and gain more sustainable results in terms of savings and customer satisfaction.

Furthermore, as supervisors, middle managers typically have more extensive interactions with the employees who are most responsible for carrying out and adhering to the company’s policies, and they know what motivates those employees, the majority of whom have little direct contact with leadership.  Generally, middle management is responsible for ensuring that day-to-day operations run smoothly and at a high level of performance.  Playing an essential role in maintaining the infrastructures and facilities, controlling and organizing the logistics and delivery, analyzing the data and information systems, procuring raw materials, and in pricing strategy, middle managers achieve a deep understanding of how each department works so they can identify problems before they happen.  Middle managers should thus be valued as key agents in facilitating the kind of changes that need to be integrated as core activities in the daily routines of the organization, such as implementing a TPRM framework.

Crucially, middle managers develop networks and thereby can foster collaboration amongst departments.  Getting buy-in from managers and employees throughout the chain of command within the business helps to make sure that the message that compliance is important gets internalized and will inspire employees to invest in the company’s efforts to change.  Effective TPRM requires stakeholders to take a collaborative approach to assess their vendors and understand each one’s true impact on the business.

Is Dysfunction Caused by Lack of TPRM Oversight Alienating Your Organization’s Procurement Function?

Early involvement of the procurement department – a critical stakeholder in every TPRM framework – can reduce risk management burdens for both organizations and third parties.  With the right tools and framework, the procurement function can work closely, efficiently, and effectively with all areas of an organization to help provide a level of assurance that third parties are appropriately vetted and monitored throughout the life of the relationship.  Procurement can also help facilitate a centralized process that organizations should leverage for more than just achieving cost savings.  Decentralized functions increase the costs related to risk management while also increasing the fatigue of third parties as they answer multiple assessment questionnaires.

This is because procurement teams have pivotal responsibilities at every stage of the third-party relationship life-cycle, from sourcing vendors and conducting pre-contract due diligence, to assessing supplier performance and terminating contracts.  As part of the sourcing function, procurement teams evaluate potential vendors with an eye toward understanding the third party’s financial situation, existing contractual obligations, and other factors that could prevent them from effectively executing a contract.  The activation of procurement agreements means entering into business relationships governed by legal documentation and contracts, so meticulous due diligence is vital.  As an important stakeholder within the third-party life cycle, procurement ensures that all contractual agreements with third parties protect the strategic objectives of the organization.  Ultimately, procurement enables organizations to maximize the benefits of outsourcing business processes and functions while minimizing the risks.

Furthermore, because supplier risk is constantly evolving, risk assessments don’t end after onboarding.  Given the duties of the procurement team, it recognizes that, even in relation to non-IT vendors, data breaches in the supply chain can impact the organization’s ability to deliver a service or a product.  A privacy risk, furthermore, can evolve into a reputational risk, litigation risk, or financial risk, in rapid order.  Your organization can be impacted by a vendor’s financial instability, regulatory violation, or ethics investigation at any time.  By unifying non-IT risk intelligence with the results of traditional cybersecurity and data privacy assessments, procurement can enrich visibility into extended supply chain risks and stay ahead of supplier disruptions before they impact the organization, reducing the risk of production downtime and reputational damage.  Procurement can achieve this while meeting the needs of multiple departments.

How can TPRM improve third-party relations beyond risk concerns?

A comprehensive, holistic risk assessment covering multiple risk areas can be used in relation to future sourcing and contracting decisions, streamlining your organization’s risk assessment and procurement processes.  A team working collaboratively to complete a single assessment of a third party, rather than subjecting that vendor or supplier to a variety of questionnaires from different departments, improves that third party’s user experience while maintaining your organization’s strategic relationship.  Organizations should look at all risks across the third-party ecosystem in a way that does not overwhelm that vendor or supplier with burdensome questions and requests for evidence as this will lead to better collaboration with those vendors or suppliers, allowing for the attainment of both TPRM and relationship management objectives.

The value of a long-term relationship with a supplier should not be undervalued:  For example, suppliers that understand your organization’s objectives and cost constraints can be particularly important for businesses with tight margins, and -- in volatile market conditions -- long-standing suppliers are often more flexible, willing to accommodate temporary cash flow difficulties.  A supplier, manufacturer, wholesaler, or other supply chain member will be not only more reliable, but also in a better position to add value to your products if it knows what your sales, operations, and marketing plans are—and what your customers want.  By sharing more than just basic transaction information, companies can see how well operations are proceeding, how products are flowing through the chain, how well the partners are performing and cooperating with one another, and the extent to which value is being built into the product, making it more likely that supply meets demand. Having an efficient supply chain means you can beat your competitors on the retail price and improve your profitability.

Collaboration with third parties in the supply chain furthermore increases the likelihood that your organization will be proactively informed in the event of any breaches, potentially speeding up critical response time in an emergency and minimizing losses.  It is imperative to understand how prepared your suppliers are to handle disruptions that could negatively impact your business, including evaluations of their incident response, business continuity, and disaster recovery plans. proactively work with your supplier community to prepare for pandemics, environmental disasters, and other potential crises.  Organizations should proactively and continually assess vendor and supplier business continuity and resilience plans.

Is the lack of TPRM oversight slowing down your organization’s sales processes?

The less due diligence that is performed before onboarding a vendor, the more likely you are to experience a significant business disruption.  Third-party risks in the supply chain, such as supplier disruption, can cause a reduction in service levels and lead to dissatisfaction from the enterprise’s customer base.  Sales decreases occur due to failure to meet end-customer demand because of product unavailability, partially fulfilled orders in terms of quantity, and late deliveries.  This leads to customer complaints, damaged image and brand reputation, and loss of customers. The financial consequences then follow with lower sales, loss of revenues, and reduced market share.